US7770222B2 - Creating an interrogation manifest request - Google Patents
Creating an interrogation manifest request Download PDFInfo
- Publication number
- US7770222B2 US7770222B2 US11/927,286 US92728607A US7770222B2 US 7770222 B2 US7770222 B2 US 7770222B2 US 92728607 A US92728607 A US 92728607A US 7770222 B2 US7770222 B2 US 7770222B2
- Authority
- US
- United States
- Prior art keywords
- client
- server
- literal
- available
- end point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related, expires
Links
- 238000000034 method Methods 0.000 claims abstract description 173
- 230000008569 process Effects 0.000 claims description 107
- 238000009434 installation Methods 0.000 claims description 14
- 239000003795 chemical substances by application Substances 0.000 description 155
- 230000006854 communication Effects 0.000 description 97
- 238000004891 communication Methods 0.000 description 83
- 230000006870 function Effects 0.000 description 12
- 230000009471 action Effects 0.000 description 11
- 238000004458 analytical method Methods 0.000 description 7
- 238000012546 transfer Methods 0.000 description 7
- 230000002155 anti-virotic effect Effects 0.000 description 5
- 239000003443 antiviral agent Substances 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 239000011814 protection agent Substances 0.000 description 5
- 230000004044 response Effects 0.000 description 5
- 238000012550 audit Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 4
- 238000011156 evaluation Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 150000001875 compounds Chemical class 0.000 description 2
- 235000014510 cooky Nutrition 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000011900 installation process Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000005641 tunneling Effects 0.000 description 2
- 230000004931 aggregating effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000004224 protection Effects 0.000 description 1
- 238000007790 scraping Methods 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6236—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database between heterogeneous systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Definitions
- the present invention relates to the determination of access to resources on a remote server computer over a network.
- Various aspect of the invention may be used to limit access to resources on a remote computer based upon a user's computing environment.
- Electronic computer networks may be found in businesses, schools, hospitals, and even residences. With these networks, two or more computing devices communicate together to exchange packets of data according to one or more standard protocols, such as the TCP/IP protocols.
- one computer often referred to as a “client”
- requests that a second computer perform a service In response, the second computer, often referred to as a “server,” performs the service and communicates the resulting data back to the first computer.
- a business user may have accessed resources on a corporate server through a desktop computer connected to the corporate server by a private, secure corporate network. Now, however, that user may wish to access the same corporate resources from a personal computer at home over a public network, such as the Internet. Still further, the user may wish to access those resources from a laptop computer while traveling. The connection to the corporate server computer might then be made over a publicly accessible wireless network connection in a hotel or coffee shop. In some instances, that user may even desire to access those corporate resources from a computer at a public kiosk.
- a laptop provided by the same company maintaining the desired resources may have dedicated communication software installed. It may also have sophisticated security-related software, such as commercial anti-malware and anti-virus software. The same user's home computer, however, may only have some limited security-related software, such as residential anti-virus software. Also, it may communicate with the remote server computer using a browser application with additional “plug-in” software to enhance the browser's communication abilities. Still further, a computer at a public kiosk may have little or no security-related software, and provide only a basic browser software application for communicating with the remote server.
- a computer may access remote resources via communication channels secured using the Secure Socket Layers (SSL) protocol, the Hypertext Transfer Protocol Secure (HTTPS) protocol (which employs the Secure Socket Layers (SSL) protocol, or the Internet Protocol Security (IPSec) protocol on another computer.
- SSL Secure Socket Layers
- HTTPS Hypertext Transfer Protocol Secure
- SSL Secure Socket Layers
- IPSec Internet Protocol Security
- This identification may be direct, such as by credential information personally associated with the user, or indirect, such as credential information associated with a particular computer or copy of a software application.
- credential information personally associated with the user
- indirect such as credential information associated with a particular computer or copy of a software application.
- Various aspects of the invention can be employed to a user's access to resources on a remote computer based upon the computing environment of the computer or “end point” being employed by the user to obtain those resources.
- an analysis of the security of the user's computing environment determine whether the user is granted access to resources on a remote computer.
- authorization to access resources on a remote computer may be graded according to the current security state of the user's computing environment.
- an analysis of the communication software available to the user's computing environment may determine how resources on a remote computer are provided to the user.
- a user may be provisioned with one or more process objects in order to enhance the user's computing environment.
- the user's computing environment may be provisioned with one or more security objects deemed necessary to obtain requested resources from a remote computer.
- FIG. 1 shows one example of a conventional network.
- FIG. 2 shows an example of a computing device that can be used to implement a network appliance according to various examples of the invention.
- FIG. 3 shows an example of a server system that may be employed according to various examples of the invention.
- FIG. 4 shows the components of policy server according to various examples of the invention.
- FIGS. 5A-5E illustrate user interfaces that may be provided to an administrator by a unified policy server according to various embodiments of the invention.
- FIGS. 6A-6E illustrate a flowchart describing a method of controlling access to a resource according to various embodiments of the invention.
- FIG. 7 illustrates one technique that may be used by various embodiments of the invention to create a post-authentication interrogator agent manifest request according to various embodiments of the invention.
- FIG. 8 illustrates a process by which a client's operating environment is matched to the appropriate zone of trust.
- a remote computer's ability to access a resource will be determined based upon the computer's operating environment.
- the computer (or computers) responsible for controlling access to a resource will interrogate the remote computer to ascertain its operating environment.
- the computer (or computers) responsible for controlling access to a resource may, for example, download one or more interrogator agents onto the remote computer to determine its operating environment.
- the interrogator agents may interrogate the remote computer regarding any combination of static artifacts residing on the remote computer and process objects, including active processes and agents.
- the interrogator agents may, for example, interrogate the remote computer regarding security process objects, such as anti-virus agents, communication process objects, such as agents used to establish or maintain a virtual private network, or both.
- the computer (or computers) responsible for controlling access to a resource may additionally provision the remote computer with process objects.
- the computer (or computers) responsible for controlling access to a resource may require a remote computer to have a specific portfolio of process objects in order to access the resource. In some embodiments, this portfolio may vary depending upon the identity of the person using the remote computer to access the resource. If the interrogation process determines that the remote computer does not possess the required portfolio of process objects, then the computer (or computers) responsible for controlling access to the resource may provision the remote computer with the missing process objects.
- Some embodiments of the invention may additionally provision and install an installation agent to facilitate the subsequent installation of process objects.
- interrogator agents may use any number of interrogator agents, some embodiments of the invention will use two interrogator agents: an interrogator agent that is employed before authenticating the identity of the remote computer's user, and an interrogator agent that is employed after authenticating the identity of the remote computer's user.
- the pre-authentication interrogator agent may interrogate the remote computer for artifacts.
- the computer (or computers) responsible for controlling access to a resource may provision the remote computer with on or more process objects, such as security process objects useful to protect the user's credential information during the authentication process.
- the post-authentication interrogator agent can then interrogate the remote computer for additional artifacts, process objects, or a combination of both.
- the computer (or computers) responsible for controlling access to a resource may determine whether the remote computer may access that resource. Alternately or additionally, they may determine the communication mechanism used to access the resource.
- a client/server configuration (including a Web based architecture configuration) occurs when a computing device requests the use of or access to a resource from another computing device.
- requests to use, obtain, or otherwise access a resource may generically be referred to simply as “requesting” a resource, while using, obtaining, or otherwise accessing a resource may generically be referred to simply as “obtaining” a resource.
- the computing device responsible for providing the resource “serves” the computing device initially requesting the resource
- the computing device responsible for providing the resource is often referred to as a “server.”
- the computing device requesting the resource is then commonly referred to as a “client.”
- the client computing device initially requesting the resource is commonly referred to as the “end point” client.
- FIG. 1 illustrates a conventional relationship between a client 101 and a server 103 .
- the client 101 may transmit the request for one or more resources to the server 103 over a network 105 .
- the network 105 may be a private network, such as an intranet, or a public network, such as the Internet.
- the server 103 may then provide the client 101 with the requested resources over the network 105 .
- a server may be considered a virtual device rather than a physical device.
- the functions of the server 103 may be performed by a single computing device. Alternately, the functions of the server 103 may be performed by a group of computing devices cooperating together.
- a client may be considered a virtual device. That is, one or more separate computing devices can cooperate together to function as a client.
- a client may work with multiple servers in order to obtain a resource. For example, a client may submit the request for a resource to a first server, which may then relay the request to a second server. The second server may authenticate the identity of the client (or a user employing the client), to determine whether the client should be permitted may access or use the requested resource. Yet another server may then actually provide the resource to the client.
- a resource may be any type of object or service available through a server.
- the resource may be a data file or a directory of data files.
- the resource may also be a service, such as an electronic mailing service, a database service, a document management service, a remote shell or terminal service, or the like.
- FIG. 2 shows one example of a computer 201 that can be used to implement various aspects of the invention.
- the computer system 201 illustrated in FIG. 2 includes a processing unit 203 , a system memory 205 , and a system bus 207 that couples various system components, including the system memory 205 , to the processing unit 203 .
- the system memory 205 may include a read-only memory (ROM) 209 and a random access memory (RAM) 211 .
- ROM read-only memory
- RAM random access memory
- the computer system 201 may further include, for example, another processing unit 203 , a hard disk drive 215 for reading from and writing to a hard disk (not shown), a magnetic disk drive 217 for reading from or writing to a removable magnetic disk (not shown), or an optical disk drive 219 for reading from or writing to a removable optical disk (not shown) such as a CD-ROM or other optical media.
- a hard disk drive 215 for reading from and writing to a hard disk (not shown)
- a magnetic disk drive 217 for reading from or writing to a removable magnetic disk (not shown)
- an optical disk drive 219 for reading from or writing to a removable optical disk (not shown) such as a CD-ROM or other optical media.
- a number of program modules may be stored on the ROM 209 , the hard disk drive 215 , the magnetic disk drive 217 , and the optical disk drive 219 .
- a user may enter commands and information into the computer system 201 through an input device 223 , such as a keyboard, a pointing device, a touch screen, a microphone, a joystick or any other suitable interface device.
- the computer system 201 may simultaneously employ a variety of different input devices 223 , as is known in the art.
- An output device 225 such as a monitor or other type of display device; is also included to convey information from the computer system 201 to the user.
- output devices 225 such as displays, speakers and printers, may alternately or additionally be included in the computer system 201 .
- the computer system 201 should be capable of operating in a networked environment using logical connections to one or more remote computing devices, such as the remote computing device 227 .
- the computer system 201 may be connectable to the remote computer 227 through a local area network (LAN) 229 or a wide area network (WAN) 231 , such as the Internet.
- LAN local area network
- WAN wide area network
- the computer system 201 may be connected to the network through an interface 233 , such as a wireless or wired network interface card (NIC) or similar device. While the interface 233 is illustrated as an internal interface in FIG. 2 , it may alternately be an external interface as is well known in the art.
- NIC network interface card
- FIG. 3 illustrates one example of a server system 301 that may be used to implement various embodiments of the invention.
- the server system 301 includes an access server 303 , workplace server 305 , a provisioning server 307 , an end-point-control (EPC) server 309 , and a policy server 311 .
- FIG. 3 also illustrates a client 313 , which communicates with the access server 303 through a network 315 .
- the network 315 will be a public network, such as the Internet. With some implementations of the invention, however, the network 315 may be a private network, such a corporate or institutional intranet.
- the client 313 may be implemented by any suitable computing device or combination of computing devices.
- the client 313 may be a programmable computer, such as the programmable computer 201 described above.
- the computer may be, for example, a personal desktop computer, a laptop computer, or even a personal digital assistant or “smart” telephone.
- the term “user” will refer to the individual using the client 313 (or other client) to obtain resources from the server system 301 .
- the client 313 may be implemented on a computing device owned by its user or by the same corporation or institution maintaining the server system 301 (or by a related corporation or institution).
- the client 313 may be implemented on a computing device owned by a third party, and may even be provided in a publicly available kiosk.
- the client 313 transmits requests to the access server 303 for the use of or access to one or more resources provided through the workplace server 305 .
- the client 313 may request one or more resources from the workplace server 305 through a secure communication channel.
- the client 313 may seek to establish a secure communication channel using any desired conventional security protocol, such as the Secure Socket Layers (SSL) protocol, the Hypertext Transfer Protocol Secure (HTTPS) protocol, (which employs the Secure Socket Layers (SSL) protocol), the Internet Protocol Secure protocol (IPSec), the SOCKet Secure (SOCKS) protocol, the Layer Two Tunneling Protocol (L2TP), the Secure Shell (SSH) protocol, or the Point-to-Point Tunneling Protocol (PPTP).
- SSL Secure Socket Layers
- HTTPS Hypertext Transfer Protocol Secure
- IPSec Internet Protocol Secure protocol
- SOCKS SOCKet Secure
- L2TP Layer Two Tunneling Protocol
- SSH Secure Shell
- PPTP Point-to-Point Tunneling Protocol
- the client 313 may seek to establish a secure communication channel using a secure remote computer connection technique, such as Windows Remote Desktop, Citrix, Virtual Network Computing (VNC) or other “screen-scraping” technology.
- VNC Virtual Network Computing
- the workplace server 305 shown in FIG. 3 is merely representative of any combination of servers that can provide a requested resource.
- the workplace server 305 may be any server or combination of servers responsible for providing one or more resources to clients.
- the workplace server 305 may be an electronic mail server, a server that maintains a database, a print server, a data storage server, a file or document management server, a Voice over Internet Protocol (VoIP) server, a remote shell or terminal service or the like.
- VoIP Voice over Internet Protocol
- the workplace server 305 may only be indirectly responsible for providing requested resources.
- the workplace server 305 may be a proxy server providing a connection to another server 319 through, for example, a private network 317 , which will actually provide requested resources to the client 313 .
- the resource being sought by the user over the network does not have to be in physical or logical proximity to the workplace server 305 .
- the workplace server 305 may be responsible for providing a variety of different types of resources, including any combination of data files and services.
- the access server 303 may be any device or combination of devices that provides a gateway to the remainder of the server system 301 or other resource servers 319 .
- the access server 303 will be responsible for establishing both secure and unsecured communication channels with the client 313 .
- the client 313 may use an unsecured communication channel to contact the access server 303 .
- the access server 303 may then respond to the client 313 that the client 313 needs to establish a secure communication channel and the manner in which this may be done.
- the client 313 will request that the access server 303 establish a secure communication channel for the client 313 to obtain the requested resource.
- the access server 303 can then use an encrypted communication protocol, to create a secure communication channel between the client 313 and the server system 301 .
- the client 313 will contain special-purpose software for establishing a secure connection with the server system 301 through the access server 303 .
- the access server 303 may be configured to cooperate with software resident on the client 313 to create a Virtual Private Network (VPN) secure communication session between the client 313 and the server system 301 using secure encryption communication protocols, such as the Secure Sockets Layer (SSL) protocol or the Internet Protocol Secure (IPSec) protocol.
- SSL Secure Sockets Layer
- IPSec Internet Protocol Secure
- a user may employ a general purpose software application on the client 313 , such as a browser application, to establish a secure connection to the server system 301 through the access server 303 .
- a user may attempt to employ a browser application on the client 313 , such as the Microsoft Internet Explorer or Mozilla, to access a Universal Resource Locator (URL) address in the server system 301 .
- the access server may therefore be configured to use appropriate secure communication protocols, such as the Secure Hypertext Transfer Protocol (HTTPS), to establish secure communication with a client 313 using such a general purpose software application.
- HTTPS Secure Hypertext Transfer Protocol
- the access server 303 may include multiple components or be comprised of multiple servers for handling multiple communication techniques.
- the access server 303 may maintain the secure communication channel with the client 313 . With other embodiments of the invention, however, the access server 303 may simply establish the secure communication channel. It may then pass off responsibility for maintaining and administering the secure communication channel to another server, such as the workplace server 305 .
- the policy server 311 determines the conditions under which a user of the client 313 may obtain the requested resources. More particularly, as will be explained in detail below, the policy server 311 administers policy rules specifying the conditions under which a user may obtain a requested resource. With various embodiments of the invention, these conditions may include both the identity of the user and the operating environment of the client 313 . With various embodiments of the invention, the policy server 311 also may validate authentication credentials submitted by a user with a request to obtain resources from the server system 301 . As used herein, the term “administrator” will refer to a person authorized to configure policy rules for enforcement by the policy server 311 .
- the policy server 311 includes a credentials and profile information analysis module 401 . It also includes a rule set 403 , and a rule configuration module 405 . As will be discussed in further detail below, the credentials and profile analysis module 401 receives credential and profile information regarding a user requesting to access or use resources on the client computer 313 . The credentials and profiles analysis module 401 then compares this received information with rules in the rule set 403 , to determine if the requested access should be granted. With various embodiments of the invention, the credentials and profiles analysis module 401 may also require some action from the client computer 313 based upon requirements specified in the rule set 403 . The rule configuration module 405 then provides the server system administrator with a user interface for configuring and revising rules in the rule set 403 .
- the access server 303 may support a variety of different communication techniques by which the client 313 may securely communicate with the server system 301 , as noted above. Accordingly, with various embodiments of the invention an administrator may employ the policy server 311 to implement a single access control policy for multiple communication techniques provided by the access server 303 .
- FIGS. 5A-5E illustrate examples of user interfaces that such a unified policy server 311 may provide to an administrator according to various embodiments of the invention.
- FIG. 5A illustrates a user interface 501 that may be provided by the policy server 311 to display existing rules according to various embodiments of the invention.
- the user interface 501 displays a list of rules (sometimes refereed to as “access control list” (ACL) rules) that have been configured for controlling access to one or more resources accessible through the server system 301 .
- ACL access control list
- the entry for each rule may include, for example, a selection check box 503 , a rule number 505 , and an action indicator 507 .
- the selection check box 503 can be used to select the associated rule in order to, for example, delete or reorder the rule.
- the rule number then indicates the order in which the rule will be evaluated. With various embodiments of the invention, the rule number may also serve as an edit command control that the administrator can activate when he or she wishes to edit the rule.
- the action indicator then indicates the function of the rule. For example, a green action indicator may be used to indicate that the rule will permit access to the associated resource for a compliant user, while a red action indicator may be used to indicate that the rule will prohibit access to an associated resource for a compliant user.
- a rule may also include a description 509 , a user identification 511 , a destination 513 , a communication method indicator 515 , and a zone indicator 517 .
- the description indicator 509 can be used by the administrator to provide a convenient description of the function and/or applicability of the rule.
- the user indicator then indicates the users to which the rule applies. For example, an administrator may designate that a rule applies to one or more specific users, one or more particular communities, one or more particular realms, or any combination of these. Alternately, the administrator may designate the rule to be applicable to any user.
- the destination indicator 513 is then associated with the resource being controlled by the rule. With some embodiments of the invention, the destination indicator 513 may indicate the location in the server system through which the resource may be accessed. With still other embodiments of the invention, however, the destination indicator 513 may identify the resource itself.
- the communication method indicator 515 indicates the particular type of communication method to which the rule will be applied.
- various embodiments of the invention provide multiple communication techniques for establishing a secure communication session between the client 313 and the server system 301 .
- a rule can be configured to specify its applicability to one or more particular communication techniques.
- various embodiments of the invention allow an administrator to designate rules for all communication techniques using a unified set of user interfaces provided by a single rule configuration system.
- the zone indicator indicates the zone in which the operating environment of the client 313 must be classified in order to comply with the requirements of the rule.
- FIG. 5B illustrates a portion 519 of a user interface that may be provided by the policy server 311 to edit or create an access control rule for unified application over different communication techniques, according to various embodiments of the invention using the.
- this user interface portion 519 includes a number control 521 , a description control 523 , and a series of action controls 525 .
- the number control 521 is used to specify the number for the rule (i.e., the order in which the rule will be applied to a client). The administrator can then use the description control 523 to enter a useful description of the purpose or intent of the purpose or application of the rule.
- the action controls 525 allow the administrator to specify the action that the rule will take if a client 313 complies with the requirements of the rule. For example, if the administrator selects the “permit” action control 525 , then the client 313 will be permitted to access the associated resource upon compliance with the rule. Similarly, if the administrator selects the “deny” action control 525 , the client 313 will be denied access to the resource if the policy server determines that the client is in compliance with the provisions of the rule. An administrator can then select the “disabled” action control in order to disable the rule.
- FIG. 5C illustrates another portion 527 of a user interface that may be provided by a policy server 311 to allow an administrator to edit or create a rule according to various embodiments of the invention.
- This user interface portion 527 includes a user group control 529 A, and a user group edit command control 529 B. It also includes a destination resources control 531 A and a destination resources edit command control 531 B.
- the administrator may select the individual users, a group of users (such as a community or realm of users), or a combination of both to which the rule will be applied. Accordingly, the administrator may activate the user edit command control 529 B to obtain a list of available users and/or groups of users. The administrator can then select from the list in order to designate a selected user or group to appear in the user control 529 A.
- the administrator when configuring a rule, the administrator must designate the resource whose access will be controlled by the rule. The administrator may therefore activate the destination resource edit command control 531 B to obtain a list of resources available through the server system 301 . The administrator may then select from this list in order to specify the resources will be included in the destination resources control 531 A, to which the rule will be applied.
- FIG. 5D illustrates still another portion 533 of a user interface that may be provided by a policy server 311 to edit or create a rule.
- the user interface portion 533 includes a first set of communication technique selection controls 535 , and a second set of communication technique selection controls 537 .
- the first set of selection controls 535 allow an administrator to easily choose between applying a rule to all supported communication techniques, or choosing to selectively apply the rule to one or more specific communication techniques. If the administrator chooses to apply the rule to specific communication techniques, the administrator can then select among the communication technique selection controls 537 to specify one or more particular communication techniques for which the rule will be applied.
- FIG. 5E then illustrates a user interface portion 539 that may be provided by various embodiments of the policy server 311 to create or edit a rule.
- the user interface portion 539 includes a zone selection control 541 and a zone selection edit command control 543 . If the administrator wishes the rule to apply only when the client's operating environment complies with one or more particular zones of trust, the administrator can activate the zone selection edit command control to, for example, view a list of available zones of trust that have already been defined. The administrator can then select one or more zones of trust from this list to include those zones of trust in the zone selection control 541 . The zones of trust specified in the zone selection control 541 will then be included in the edited or new rule.
- the Provisioning Server and the End Point Control Server are The Provisioning Server and the End Point Control Server.
- the provisioning server 307 and the EPC server 309 assist the policy server 311 to enforce the access rules.
- the provisioning server 307 and the EPC server 309 cooperate to interrogate the client computer 313 to detect the presence of desired process objects.
- the provisioning server 307 and the EPC server 309 may cooperate to install and activate desired process objects on the client computer 313 .
- the provisioning server 307 and the EPC server 309 may cooperate to install and activate one or more of those security process objects on the client 313 .
- the provisioning server 307 and the EPC server 309 can determine if the client 313 is capable of executing a communication process object that will implement a more preferred or alternate communication technique. With these embodiments, the provisioning server 307 and the EPC server 309 may cooperate to install and activate one or more such communication process objects on the client device 313 .
- the security objects may be any software such as, for example, anti-malware or anti-virus agents.
- malware generally will refer to software agents or processes that are intended to obtain information for illicit purposes.
- virus will then generally be used to refer to software agents or processes intended to damage data or obstruct the operation of the host computer. It should be appreciated, however, that these terms should not be construed as limiting, since many software agents and processes may both obtain information for illicit purposes and damage data or obstruct the operation of the host computer.
- the security objects may also include client certification agents, client integrity agents, client inventory agents, data protection agents, patch management agents, personal firewall agents, system audit agents, and vulnerability assessment agents. Still further, with various embodiments of the invention, the provisioning server 307 and the EPC server 309 can cooperate to check for and/or install any desired security object on the client computer 313 .
- a policy rule may determine the availability of a resource based upon the identity of the user and the operating environment of the client 313 .
- multiple client operating environments may be categorized into a “zone of trust.”
- a policy rule may specify that a user may access a resource when his or her client operating environment can be categorized into zone of trust 1 or zone of trust 2 , but will be refused access if his or her client operating environment is categorized into zone of trust 3 .
- Another policy rule may then specify that a different user, user B, can only obtain that same resource if his or her client operating environment is categorized in zone of trust 1 .
- the provisioning server 307 and the EPC server 309 cooperate to interrogate a client's operating environment, and if necessary, to change a client's operating environment by provisioning the client 313 with specified security objects.
- the provisioning server 307 and the EPC server 309 may split the interrogation and provisioning process into two stages. One stage will be performed before the user authenticates his or her identity, and the second stage will then be performed after the use has authenticated his or her identity.
- provisioning server 307 and the EPC server 309 advantageously allows the provisioning server 307 and the EPC server 309 to ensure that the client 313 is provisioned with specified anti-malware agents or other desired agents before the authentication process begins.
- the specified anti-malware agents will then prevent malware from illicitly obtaining the user's credentials during the authentication process.
- provisioning server 307 and the EPC server 309 can avoid unnecessary provisioning steps if, for example, the user's credentials are not accepted during the authentication process.
- Various embodiments of the invention may therefore factor the client operating environment required before the authentication process begins and the client operating environment required after the authentication process has been completed in determining the zone of trust into which the client computer will be categorized. Moreover, by partitioning the criteria for a zone of trust into pre-authentication requirements and post authentication requirements, various embodiments of the invention can customize the process for determining the post authentication requirements based upon the user's identification obtained during the authentication process. Accordingly, the tools employed to interrogate the user's client regarding its operating environment can be varied based upon the identity of the user.
- the state of the client's operating environment when requesting a resource is referred to as the client's “signature.”
- This signature is a list of pre-existing static process objects or “artifacts” on the client 313 .
- the signature may also include processes or “agents” running on the client 313 .
- the information in the signature can be used to determine the identity of the client 313 .
- an administrator for a corporate-managed server system 301 may expect all corporate-owned computers to be configured with a particular set of artifacts and agents. Likewise, the administrator may expect a responsible employee to ensure that his or her personal computer is configured with a different set of particular artifacts and agents. On the other hand, the administrator may expect a computer provided in a public kiosk to have only a minimal set of artifacts and agents. Accordingly, the EPC server 309 may use the signature of a client 313 to distinguish a corporate-owned computer from a personal computer owned by an employee of the company from a computer at a public kiosk. The identity inherently provided by the signature may then subsequently used to classify the client 313 into a zone.
- a signature definition may be configured as a Boolean logic expression of “literal” values that conform to the standard Conjunctive Normal Form (CNF) (i.e. a conjunction of disjunctions). More particularly, a signature can be defined as a group of artifact literal values associated by the logical AND operator and one or more groups of agent literal values associated by the logical OR operator. The group of artifact literal values is then associated with the group (or groups) of agent literal values by a logical AND operator. Thus, for a client operating environment to match a particular signature, each artifact literal value must be TRUE and one agent literal value from each group of agents literal values also must be TRUE.
- CNF Conjunctive Normal Form
- the artifact literals may include “DIR,” where the value of this artifact literal will be a directory pathname to be found on client, “FILE,” where the value of this artifact literal will be a file to be found on the client, and “REGISTRY,” where the value of this artifact literal will be a KeyName to be found in the registry of the client.
- the artifact literals may also include “PROCESS,” where the value of this artifact literal value is a running process to be found on the client, “DOMAIN,” where the value of this artifact literal will be a domain of which the client is a member, and “OS,” where the value of this artifact literal will be an operating system employed by the client.
- the agent literals may include the “PFW_AGENT” literal and the “AV_AGENT” literal.
- the values of these agent literals will specify a particular instance of that agent.
- the PFW_AGENT literal value “ZONE_PFW” may correspond to the Personal Firewall provided by Zone Labs Corporation.
- the PFW_AGENT literal value SYGATE_PFW may then correspond to the Sygate Personal Firewall software application, while the PFW_AGENT literal value “MS_PFW” may correspond to the Microsoft Personal Firewall software application.
- the AV_AGENT literal value “MCAFEE_AV” may correspond to the McAfee Anti-Virus software application, while the AV_AGENT literal value “NORTON_AV” may correspond to the Norton Anti-Virus software application.
- the policy server 311 may maintain a global list of signatures. An administrator can then select one or more signatures from this global list to define a zone of trust. While the precise configuration of the list structure will be implementation specific, the structure of one example of such a list is provided below.
- a “zone of trust” or “zone” is an assertion of state on a client.
- the client state defining a zone of trust is a combination of the static and dynamic state existing on the client device prior to instantiating an authenticated secure communication session, (i.e., the signature), and the dynamic state added to the client during the lifecycle of the authenticated secure communication session.
- State assertions that are added to the client 313 during the authenticated secure communication session also are expressed as individual literals in a zone of trust definition.
- a definition of a zone of trust may be created as a Boolean logic expression of literals that conform to the standard Conjunctive Normal Form (CNF).
- CNF Conjunctive Normal Form
- the definition of a zone of trust will first include one or more signature literal values.
- a signature literal value is true if the pre-authentication operating environment of the client 313 (i.e., its signature) matches the signature definition for that literal.
- the definition of a zone of trust may be expressed as a group of compound signature literals associated by the logical OR operator, followed by one or more groups of agent literals associated by the logical OR operator. Because the agent literals employed in this definition correspond to agents that are provisioned and/or after the authentication process, these agent literals are referred to below as “ADDED_AGENT” literals.
- the group of compound signature literals is associated with the group (or groups) of ADDED_AGENT literals by the logical AND operator.
- one of the values of the signature literals must be TRUE.
- one of the values in each group of the ADDED_AGENT literals also must be TRUE in order for the client operating environment to match a zone of trust definition.
- the policy server 311 may provide literals for a variety of different types of agents. These agents may include, for example, anti-malware or anti-Trojan agents, anti-virus agents, client certification agents and client integrity agents. Anti-malware and anti-Trojan agents detect and protect against key-stroke loggers, back doors, remote hick jacking, spy-ware, and other processes intended to obtain information for illicit purposes. Anti-virus agents then detect and protect against viruses and other similar threats. Client certification agents determine the identity of a client device through a set of heuristics and/or cryptographic certification. Client integrity agents determine the integrity of the client device by performing multiple threat category functions rather than a single function.
- the policy server 311 also may provide literals for client inventory agents, data protection agents, and patch management agents.
- Client inventory agents search for artifacts on the client. They may be used, for example, to determine the signature of the client. Typically, however, these agents will not be included in signature or zone of trust definition. Instead, one or more agents of this type are provisioned on the client in advance of determining a client's signature or zone of trust.
- Data protection agents protect data being used in authenticated secure communication sessions from being disclosed to parties other than the authenticated session user.
- Patch management agents manage client system patches, in order to ensure that, where possible, security holes have been repaired by software vendors.
- the policy server 311 may provide literals for personal firewall agents, system audit agents, and vulnerability assessment agents.
- Personal firewall agents wall the client off from unauthorized network traffic and the associated threats of direct client system network attack and indirect network attack.
- System audit agents audit the compliance of end point security policy, while vulnerability assessment agents perform vulnerability scans of the client and assess its resistance to external threats.
- an agent will then correspond to a particular software application or other process.
- a value of “ACC” for the data protection agent literal DP_AGENT will correspond to the Cache Cleaner software application available from Aventail Corporation of Seattle, Wash.
- a value of “ASD” for the data protection agent literal DP_AGENT will correspond to the Aventail Secure Desktop software application also available from Aventail Corporation of Seattle, Wash.
- the value of “SSP” for the client integrity agent literal CI_AGENT will correspond to the Sygate Security Portal (also referred to as the Sygate On Demand product) available from Sygate Technologies of Fremont, Calif.
- a zone is described with respect to embodiments of the invention that divide the interrogation process into a pre-authentication interrogation of the client's operating environment and a post-authentication interrogation of the client's operating environment.
- Various embodiments of the invention may alternately define a zone with any combination of artifact and agent literal values associated by any combination of logical operators and comparison operators.
- Various embodiments of the policy server 311 may provide a global list of zones of trust for selection by an administrator. While the precise configuration of the list structure will be implementation specific, the structure of one example of such as list is provided below.
- the list of zones also typically will include a default zone that does not require a specific signature.
- this zone of trust may still require that the client 313 be provisioned with one or more additional process objects.
- a user will be categorized into a “realm.”
- a realm is any group of one more users that is permitted to authenticate against a specific set of authentication servers, such as, for example, an LDAP authentication server, a Radius authentication, or an Active Directory authentication server.
- various embodiments of the policy server 311 may provide for the use of one or more “communities.”
- a community is a group of one or more users within a realm that is associated with one or more defined zones. Thus, a community may be considered a subset instance of a realm authentication and authorization name space. With some applications of the invention, a community definition may have some additional usefulness outside of the scope of end point control. Accordingly, only the features of a community definition that relate to end point control will be discussed herein.
- a community represents a configuration of zones of trust in the form of a scoped list, into which a specific authenticated user is authorized to be classified.
- the provisioning server 307 installs a post-authentication interrogator agent onto the client 313 , in order to ascertain more information regarding the client's operating environment (e.g., to ascertain the remainder of the client's signature that was not discovered by the pre-authentication interrogator agent).
- the EPC server 309 can thus program this post-authentication interrogator agent with a specific manifest of artifacts to search for on the client 313 that correspond only to the zones of trust in which the user can be categorized.
- the post-authentication interrogator agent will not need to search for the artifacts and agents included in every defined zone of trust; only for those zones of trust that are applicable to that user.
- the interrogation results returned from this post-authentication interrogator agent is then used to classify the user's client 313 into a specific zone of trust according to the Boolean logic previously described.
- the policy server 311 will determine whether the client 313 may obtain a particular resource based upon a policy rule.
- the makeup and use of policy rules may have some additional usefulness outside the scope of end point control.
- a policy rule represents the enforcement mechanism of a zone of trust. That is, in order for the client operating environment to be factored into a security policy, it must be associated with a policy rule. With various embodiments of the invention, this association is made with the use of a zone of trust literal. More particularly, when a zone of trust literal is encountered during evaluation of a policy rule, the currently classified zone of trust for the user is employed in Boolean conjunctive logic for the zone of trust literal, and therefore factored into the security policy. While the precise configuration of the structure of policy rules will be implementation specific, the structure of one example of a list of policy rules is provided below.
- policies server 311 may provide for hierarchical and other forms of aggregating zones in a policy rule definition.
- step 601 the user employs the client 313 to request a resource available through the workplace server 305 .
- the user may employ a browser application on the client 313 to provide the access server 303 with a Universal Resource Locator (URL) associated with a desired resource available through the workplace server 305 .
- URL Universal Resource Locator
- this initial request may be submitted via an unsecured communication channel.
- the access server 303 performs an authorization check of the communication with the policy server 311 in step 603 . If the communication is part of an existing authenticated communication session (and the end point control process thus has already been performed for the client 313 ), the remainder of the end point control process may be skipped. Likewise, if the requested resource does not require authentication or end point control (e.g., it is a publicly available resource), then again the remainder of the end point control process may be skipped and the client 313 allowed to obtain the requested resource.
- the access server 303 transfers control of communications with the client 313 to the provisioning server 307 , so that the provisioning server 307 may begin the pre-authentication interrogation of the client 313 .
- the provisioning server 307 downloads the pre-authentication interrogator to the client 313 . If the pre-authentication interrogator is successfully installed, then the pre-authentication interrogator will transmit a report of the client's operating environment back to the EPC server 309 . With some embodiments of the invention, the pre-authentication interrogator may also send a message to the EPC server 309 confirming its successful information.
- the interrogation report may include information regarding artifacts on the client 313 , such as its operating system name and version, whether the browser supports the Java programming language, and the like.
- the pre-authentication interrogator agent may be, for example, a Java applet that can be installed and activated through the browser without being blocked by any security features of the client 313 .
- the pre-authentication interrogator agent requires no input, and returns various data to the provisioning server 307 .
- the pre-authentication interrogator agent is used by the server system 301 to determine artifacts on the client 313 , in order to select the kind of post-authentication interrogator to employ to complete the determination of artifacts and agents.
- the provisioning server 307 may use the information provided by the pre-authentication interrogator agent to facilitate provisioning of additional agents on the client 313 .
- the fundamental data structure used to communicate interrogation results between the provisioning server 307 and the pre-authentication interrogator agent is the pre-authentication interrogator agent artifacts schema.
- This data structure is a fixed set of elements that the pre-authentication interrogator agent populates and sends to the provisioning server 307 .
- elements that may be employed in the schema may include operating system information for the client 313 , such as the operating system name, version, most recent service pack, and build, and the client's processor type.
- the elements may also include information regarding the browser being used to access the resources, such as the browser name, and version, the version of JavaScript supported by the browser, the vender and the version of Java supported by the browser.
- the schema elements may include the local (human) language used by the client 313 , the size of the monitor employed by the client 313 , and any other desired environmental information that may be accessible by the pre-authentication interrogator agent.
- the pre-authentication interrogator agent will obtain the information to populate the artifacts schema from conventionally available sources on the client 313 .
- the client 313 is employing the Microsoft Internet Explorer browser application available from Microsoft Corporation of Redmond, Wash.
- the pre-authentication interrogator agent may obtain the information from the Document Object Model of the browser.
- other methods well known in the art can alternately or additionally be used to determine information to populate the artifacts schema, such as the availability of Active-X or Java, if the pre-authentication interrogation of the client environment does not report on them.
- the pre-authentication interrogator agent may then report the schema back to the EPC server 307 using, for example, a cookie.
- the provisioning server 307 then transfers control to the EPC server 309 , so that the EPC server 309 can process the results provided by the pre-authentication interrogator.
- the EPC server 309 determines whether it has received an interrogation report from the pre-authentication interrogator installed on the client 313 . If it did not receive an interrogation report, then the EPC server 309 may terminate communications with the client 313 . If the EPC server 309 did receive an interrogation report, then in step 609 the EPC server 309 determines which process objects, if any, should be downloaded to the client 313 .
- the EPC server 309 based upon the information obtained by the pre-authentication interrogator agent, such as the operating system, processor, Java runtime, and Active-X runtime used by the client 313 , the EPC server 309 identifies various security objects that should be installed on the client 313 .
- the administrator may not require any process objects to be downloaded to the client. For example, if the client 313 is employing an operating system that is an infrequent target of malware (such as the Macintosh operating system provided by Apple Computers), then the EPC server 309 may determine that no process objects should be downloaded to the client 313 . If, however, the client 313 is employing an operating system that is a frequent target of malware (such as the Microsoft Windows operating system available from Microsoft Corporation of Redmond, Wash.), then the EPC server 309 may identify one or more security process objects that should be downloaded to the client 313 . As discussed in detail above, these process objects are downloaded before the authentication process is started. Accordingly, the administrator may desire that security process objects, such as anti-malware agents, be downloaded to the client 313 to better protect the confidentiality of the user's credentials during the subsequent authentication process.
- security process objects such as anti-malware agents
- the provisioning server 311 downloads any process objects designated by the EPC server 309 to the client 313 . If the process objects downloaded to the client 313 were successfully installed and operating, they will transmit a communication reporting their successful installation to the EPC server 309 . Thus, in step 613 , the EPC server 309 checks to confirm that the downloaded process objects were successfully installed. If they were not, then the EPC server 309 may terminate communications with the client 313 . If the downloaded process objects were successfully installed, however, then the EPC server 309 transfers control of communication with the client 313 to the policy server 311 to authenticate the user.
- step 615 the policy server 311 , requests credential information from the user, and subsequently authenticates the user in step 617 . If the user fails to authenticate, then communications with the client 313 are terminated. If the user is successfully authenticated, then control over the communication with the client 313 is transferred back to the EPC server 309 in order to perform the post-authentication portion of the end point control process.
- the EPC Server determines which zones of trust, if any, are configured for the community or realm for which the user is an authenticated member. If one or more zones of trust are configured for the user's community (or realm), then, in step 621 , the provisioning server 307 downloads an end point installer agent to the client 313 . If a zone of trust was not configured for the user's community (or realm), then the process proceeds to step 629 .
- various embodiments of the invention may allow a user to request a resource using a variety of different communication techniques. Moreover, as will be discussed in more detail below, some embodiments of the invention may even provision the client 313 with communication process objects necessary to switch communication techniques while requesting a resource, thereby enabling the client 313 to employ the most convenient or beneficial communication technique available to obtain the resource. In order to allow the client 313 to switch communication techniques without having to reauthenticate the user, these embodiments of the invention may provide the client 313 with a set of authentication credentials confirming that the user's identity already has been authenticated by the policy server 309 .
- some embodiments of the invention may create a cookie on the client 313 that includes authentication information confirming that the user's identity already has been authenticated by the policy server 309 . Because this authentication information may be universal for the different communication techniques provided by the server system 301 , the client 313 will not have to resubmit the user's credentials in order to establish a secure communication channel after switching to a different communication technique.
- the end point installer agent is used to facilitate the subsequent provisioning of process objects on the client 313 .
- the end point installer agent will be an agent configured to work with the client's operating environment to reliably install specified process objects onto the client 313 .
- a client may employ a browser application, such as the Microsoft Internet Explorer browser application, to communicate with the server system 301 .
- various embodiments of the invention will employ an end point installer agent compatible with the Microsoft Internet Explorer browser application.
- some embodiments of the invention may employ an end point installer agent implemented as an ActiveX control.
- the browser may install the end point installer agent onto the client directly from a cab file downloaded from the provisioning server 307 . If the user does not have sufficient privileges to install ActiveX controls, various embodiments of the invention may employ additional processes to facilitate the installation of the end point installer agent.
- some embodiments of the invention may also download a Java applet, referred to as an end point loader, to facilitate the download and installation of the end point installer agent.
- the end point loader will download a .cab for the end point installer agent file, and then use the Java Native Interface (JNI) to extract the .cab file into, for example, one or more .dll and .inf files and instantiate the end point installer agent.
- JNI Java Native Interface
- the end point loader will then instruct the end point installer agent to register itself with the operating system.
- the end point installer agent is configured to register itself in the “users” portion of the Microsoft Windows COM registry instead of the “system” portion of the Microsoft Windows COM registry where ActiveX controls typically are registered, thereby allowing the end point installer agent to install and run regardless of the user's installation privileges.
- Various embodiments of the invention may use a variety of techniques to avoid obstructions presented by the security protections of different operating systems. For example, when updated with the Microsoft Windows Service Pack 2, the Microsoft Windows operating system may not allow a user to install an Active X control without requiring the user to acknowledge an additional prompt. To avoid requiring the user to specifically acknowledge this prompt; various embodiments of the invention may employ JavaScript programming to acknowledge the prompt and complete the installation of the end point installer agent. For a client 313 that does not employ the Microsoft Internet Explorer browser application, various embodiments may employ similar Java-based or other software language-based end point installer agents.
- the end point installer agent Once the end point installer agent is installed, it will then accept instructions from the provisioning server 307 .
- the provisioning server 307 may instruct the end point installer agent to download one or more process components from the provisioning server 307 .
- the provisioning server 307 may send the end point installer agent HTTP format instructions to install components located at the provisioning server 307 .
- the end-point installer agent will obtain an .inf file for the components, which lists the required pieces of components, and the version information for the components.
- the end point installer agent will then compare the version information in the downloaded file with version information for any corresponding components already present on the client 313 .
- the end point installer agent will then enter this determination and any associated information into a log, and discontinue the installation process. If, however, the end point installer agent determines from the version information that the components on the provisioning server, it will request the new components from the provisioning server and install them. The network-intense download of components is thus performed only when required. More particularly, it will rename the resident components, install the newly obtained components, and then delete the renamed components (e.g., marks them for deletion upon rebooting of the client 313 ). This ensures that some form of the components can be salvaged for use by the client 313 if the installation process fails. With various embodiments of the invention, the end point installer agent will only install components that have a verifiable signature confirming their authenticity from trusted source.
- the end point installer agent will keep a record of files that it installs, and has the capability of subsequently uninstalling all these files in a single operation, so that all of these file can be subsequently uninstalled at the conclusion of the communication session.
- the browser may provide a feature to uninstall specified processes.
- an uninstaller agent may be installed with the end point installer agent. This uninstaller agent can then uninstall all previously loaded process objects. This may be done by specific prompt, or by automatic detection of end of communication session.
- the EPC server 309 creates an interrogation manifest request based upon the zones configured for the user's community or realm.
- This interrogation manifest request may be created will be discussed with reference to FIG. 7 . More particularly, FIG. 7 illustrates one technique that may be used by various embodiments of the invention to create a post-authentication interrogator agent manifest request according to various embodiments of the invention.
- the EPC server 309 initially selects the next available realm from among the list of all available realms. If there are no further realms to select, then the EPC server 309 concludes that the manifest request creation process is completed.
- step 703 the EPC server selects the next available user community in the realm. If there is no remaining user community available for the realm, then the process returns to the step 701 . If, however, there is a user community in the realm that has not yet been processed, in step 705 the EPC server 309 creates a literal graph for that user community.
- step 707 the EPC server will obtain the next available zone in the list of zones associated with the user community. If there are no further zones listed for that user community, then the process returns to step 705 . Otherwise, the EPC server 309 will obtain the first signature listed for the current zone. If there are no further available signatures, then the EPC server will return to step 707 to obtain the next available zone for the user community. If, however, a signature is available for analysis, then in step 711 the EPC server 309 will obtain the first literal specified in the definition of that signature. If there is no remaining literal designated for the signature, then the process returns to step 709 , where the EPC server 309 will obtain the next available signature for the current zone.
- step 713 the EPC server determines whether the literal is unique to the current literal graph for the user community. If it is, then in step 715 , the literal is added to the graph, and the EPC server 309 obtains the next literal for the signature. Otherwise, the process simply returns directly to step 711 .
- each literal for each signature making up each zone for each user community in all available realms are identified and a graph is created for each zone of each user community.
- the EPC server 309 can then simply identify the appropriate graphs for that user community, and incorporate the graph into a manifest request for processing by the post-authentication interrogator agent.
- the provisioning server 307 downloads and installs the post-authentication interrogator with the manifest request onto the client 313 . More particularly, after the installer agent has been installed on the client 313 , the provisioning server 307 sends a message to the installer to instantiate the post-authentication interrogator agent.
- the message may be, for example, an HTML message.
- This message may also include, for example, a URL identifying a configuration file containing the manifest request.
- This configuration file may use, for example, the Microsoft Windows .ini file format.
- the configuration file will include commands for the post-authentication interrogator to search for specific artifacts or process objects.
- it may include commands instructing the post authentication interrogator to look for a specified file, directory, running process, registry key, registry value or data, whether a specific personal firewall is running, user domains.
- This information may be obtained through conventional operating system application programming interfaces (APIs), or through APIs specifically made available by third parties, such as the providers of a process object.
- APIs application programming interfaces
- the manifest request may use Hash Message Authentication Code (HMAC) signing techniques to ensure that information contained in the manifest request (or in the manifest response) is not forged by a third party for illicit uses.
- HMAC Hash Message Authentication Code
- queries in the manifest request may be formulated as questions prompting specific prior known answers rather than open ended questions, as open-ended questions could be viewed as a privacy threat if abused by the server administrator via clever signature definitions. For example, wildcard queries may be prohibited from the manifest request to prevent disclosure of information beyond that needed for evaluation of access control and authentication of the user session.
- the fundamental data structure that may be used to exchange data between the EPC server 309 and the post-authentication interrogator agent is the interrogation manifest.
- the post-authentication interrogation manifest includes a variable number of questions in the form of literals sent from the EPC server 309 to the post-authentication interrogator agent in the manifest request, and answers added to the literals on responses sent back to the EPC server 309 by the post-authentication interrogator agent.
- the following presents an abstract definition of this manifest, but it should be noted that different embodiments of this structure will be implementation specific.
- the post-authentication interrogator After it has been installed on the client 313 , the post-authentication interrogator examines the operating environment of the client 313 , looking for artifacts and process objects specified in the post-authentication interrogator manifest request. It then reports back its findings via a post-authentication interrogator manifest response to the EPC server 309 in step 627 .
- the post-authentication interrogator may create an XML file containing the interrogation results, and post these results back to the EPC server 309 .
- the EPC server 309 will classify the client's operating environment into a zone of trust in step 629 . This process will be described in more detail with reference to FIG. 8 .
- FIG. 8 illustrates a process by which a client's operating environment is matched to the appropriate zone of trust.
- the policy server 311 obtains the next available zone of trust from the list of all zones of trust associated with the user's community. If there are no further zones of trust available for the user's community that have not already been analyzed, then the policy server 311 classifies the client's operating environment in the default zone of trust. If, however, there is an available zone of trust in the user's community that has not been analyzed, the next available signature for the zone of trust is obtained in step 803 .
- step 801 If there are no further signatures in the definition of the current zone of trust, then the process returns to step 801 . Otherwise, the policy server 311 obtains the next the next available literal in the obtained device profile in step 805 . If there are no further literals in the signature, then the operating environment of the client 313 is categorized into the current zone. Otherwise, the obtained literal is compared with the corresponding state of the client's operating environment. If the value of the literal is true for the current operating environment, then the process returns to step 805 to examine the next literal available in the signature. If, however, the value of the literal is not true for the client 313 , then the process returns to step 803 to obtain the next available signature for the current zone.
- the policy server 311 may provision the client 313 with any suitable with communication process objects that will enable the client 313 to employ an alternate communication technique for communicating with the server system 313 .
- various embodiments of the invention may provide different communication techniques for securely communicating with the server system 301 , and subsequently obtaining resources from or through the server system 301 .
- some embodiments of the invention will accommodate one communication technique employing a conventional browser.
- Various embodiments of the invention may alternately or additionally accommodate another communication technique employing the Microsoft Windows Internet Explorer browser where the communication functionality has been enhanced by an ActiveX control.
- These embodiments of the invention may further accommodate a communication technique implemented by a Java-enabled application that is specifically configured for securely communicating with the server system 301 .
- various embodiments of the invention may accommodate a communication technique implemented by a special purpose software application that works with the client's operating system.
- some embodiments may support a communication technique implemented by a software application that is a client of the Microsoft Windows operating system provided by Microsoft Corporation of Redmond, Wash.
- one communication technique may be preferable to another communication technique.
- the user may obtain more effective communication with the server system 301 by employing a special purpose software application than by using a browser application to communicate with the server system 301 .
- a special purpose software application which requires the Microsoft Windows operating system to run would not be useful for communication with the server system 301 . Instead, the user would be better served using a communication technique implemented by a Java-enabled application,
- various embodiments of the invention may provision a client 313 with communication process objects that will enable the client 313 to employ a communication technique most suitable to the client's operating environment. More particularly, these embodiments of the invention may employ the information obtained from one or more interrogator agents to determine which communication techniques can be supported by the client 313 . The provisioning server 313 can then provision the client 313 with the communication process objects to implement one or more of these communication techniques.
- the provisioning server 307 may determine from the client's signature whether the client 313 is employing the Microsoft Windows operating system. If the client 313 is employing the Microsoft Windows operating system, then the provisioning server 307 may download and install a software application that is a client of the Microsoft Windows operating system to establish a secure connection with the server system 301 . Similarly, the provisioning server 307 may determine from the client's signature whether the client 313 is Java enabled and, if it is, then the provisioning server 307 may download and install a Java-based software application to establish a secure connection with the server system 301 . Still further, the provisioning server 307 may determine from the client's signature whether the client 313 is employing the Microsoft Internet Explorer browser and will allow the installation of ActiveX controls. If it does, then the provisioning server 307 may download and install an ActiveX control to help the Microsoft Internet Explorer browser establish a secure connection with the server system 301 .
- the provisioning server 307 may provision the client 313 with communication process objects in this manner according to any desired criteria. For example, the provisioning server 307 may provision the client 313 with every communication process object that the client 313 will support. Alternately, the provisioning server 307 may provision the client 313 with a communication process object based upon a preset hierarchy, or based upon heuristics accounting for communication process objects already installed on the client 313 . It also should be noted that, if the end point installer agent was not previously installed during step 621 , it may be installed at this point to facilitate the installation of the communication process objects.
- the EPC server 309 determines whether the client 313 should be provisioned with any additional security process objects based upon the zone of trust into which the client 313 has been classified.
- the definition of the zone of trust may also require that additional process objects, such as additional security process objects, be installed on the client 313 in order for the client to remain classified in that zone of trust.
- the provisioning server 307 will provision the client 313 with any additional security process object required by the EPC server. It should be noted that, if the end point installer agent was not previously installed during step 621 , it may be installed at this point to facilitate the installation of the additional security process objects.
- the additional security process objects may report the results of their successful installation to the provisioning server 307 . Accordingly, the provisioning server 307 will confirm that the required additional security process objects were properly installed on the client 313 . Upon successful installation, these additional security process objects report back their security status to the EPC server 309 . If one or more of the additional security process objects were not properly installed or failed to report positive status to the EPC server 309 , then the server system may discontinue communicating with the client 313 . Alternately, various embodiments of the server system 301 may attempt to remediate the classification of the client 313 into another zone of trust that does not require installation of the additional security process objects.
- the EPC server 309 may asynchronously and periodically revalidate the state of the client's operating environment, For example, the EPC server 309 may periodically request that the post-authentication interrogator verify the compliancy state of agents associated with the current zone of trust. It then proceeds to re-classify the zone of trust, where a zone of trust change may occur due to the current compliancy state of the client device.
- some embodiments of the invention may employ zones of trust without regard to the user's identity.
- all clients may be assigned the same set of zones of trust, regardless of the identity of their individual users.
- an administrator can ensure that all clients have an operating environment that meets minimum security requirements.
- various embodiments of the invention may employ a single interrogator agent.
- the single interrogator agent may interrogate the client 313 to obtain its entire signature before the authentication process.
- Other of these embodiments may deploy the single interrogator agent after the authentication process.
- still other embodiments of the invention may employ any desired number of interrogator agents to ascertain the client's operating environment.
- various embodiments of the invention may perform some task associated with a zone of trust when a client is classified into that zone of trust.
- the server system 301 may log the client 313 off of a secure communication session if the client 313 is assigned a zone of trust associated with this command.
- any desired command to be enacted by the server system 301 or one of its components can be associated with a zone of trust being assigned to a client 313 .
- connections have been described above, unless otherwise expressly indicated these connections should be considered to include both direct connections between two elements or indirect connections that may include any number of intermediate elements between the connected elements.
- various functions have been ascribed to one or more components of particular embodiments of the invention (such as servers), various embodiments of the invention may collect or redistribute these functions in any desired configuration.
- a single server may be used to implement the functionality of both the provisioning server 307 and the EPC server 309 described above. Alternately, some embodiments of the invention may provide three or more servers to perform that functionality.
- various functions ascribed to a particular server may be implemented in different embodiments of the invention by another server.
- one or more of the functions of the EPC server 309 may be performed by the policy server 311 and vice versa in alternate embodiments of the invention.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Physics & Mathematics (AREA)
- Strategic Management (AREA)
- Computer Hardware Design (AREA)
- Entrepreneurship & Innovation (AREA)
- Economics (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Bioethics (AREA)
- Development Economics (AREA)
- Health & Medical Sciences (AREA)
- Educational Administration (AREA)
- Databases & Information Systems (AREA)
- Game Theory and Decision Science (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Marketing (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Signature=A[1]&& . . . &&A[n_a ]&&(PFW[1]∥ . . . ∥PFW[n_pfw])&&(AV[1]∥ . . . ∥AV[n_av])&&(CC[1]∥ . . . ∥CC[n_c])&&(O[1]∥ . . . O[n_o])
-
- 1. GlobalListOfSignatures[0-∞]
- a. Signature
- i. Artifacts[0-∞]
- ii. PersonalFirewallAgents[0-∞]
- iii. AntiVirusAgents[0-∞]
- a. Signature
- 1. GlobalListOfSignatures[0-∞]
Zone=(S[1]∥ . . . ∥S[n_s])&&(DP[1]∥ . . . ∥DP[n_dp])&&(CI[1]∥ . . . ∥CI[n_ci]) &&(O[1]∥ . . . ∥O[n_o])
-
- 1. GlobalListOfZones[1-∞]
- a. Zone
- i. Signatures[0-∞]
- 1. GlobalListOfSignatures[ordinal]
- ii. DataProtectionAgents[0-∞]
- iii. ClientIntegrityAgents[0-∞]
- i. Signatures[0-∞]
- a. Zone
- 1. GlobalListOfZones[1-∞]
-
- 1. GlobalListOfRealms[1-∞]
- a. Realm
- i. Authentication servers [0-∞]
- 1. GlobalListOfAuthenticationServers[ordinal]
- ii. ListOfUserCommunities[1-∞]
- 1) User Community
- a) Members[1-∞]
- i. User@Realm or Group@Realm
- b) Non End Point Control Related Elements
- c) . . .
- d) . . .
- e) ZoneOfTrust[0-∞]
- i. GlobalListOfZones[ordinal]
- f) DefaultZone
- i. Authentication servers [0-∞]
- a. Realm
- 1. GlobalListOfRealms[1-∞]
-
- 1. GlobalListOfAccess Control Lists[1-∞]
- a. Access Control List
- i. Non End Point Control Related Literals
- ii. . . .
- iii. . . .
- iv. ZoneOffrust[0-∞]
- 1. GlobalListOfZones[ordinal] literal-comparison-operator CurrentClassifiedZone
- a. Access Control List
- 1. GlobalListOfAccess Control Lists[1-∞]
- 1. Individual Generic Queries
- These literals have no input and are answered with values pertaining to the literal. There may be 0-1 occurrences per literal present in the manifest.
- a. Literal=User Privilege
- i. Input=None
- ii. Output=Admin |Power User |Restricted User
- b. Literal=MAC Addresses
- i. Input=None
- ii. Output=List of MAC addresses
- c. Literal=Link Speed
- i. Input=None
- ii. Output=Kbps of SSL VPN link
- d. Literal=User Home Directory
- i. Input=None
- ii. Output=User Home Directory
- e. Literal=System Directory
- i. Input=None
- ii. Output=User Home Directory
- a. Literal=User Privilege
- These literals have no input and are answered with values pertaining to the literal. There may be 0-1 occurrences per literal present in the manifest.
- 2. Individual Specific Queries
- These literals all have input that is interpreted as an equality expression. There may be 0-∞ occurrences per literal present in the manifest.
- a. Literal=File
- i. Input=Leaf Path Name
- ii. Output=TRUE if found, else FALSE
- b. Literal=Directory
- i. Input=Intermediate Path Name
- ii. Output=TRUE if found, else FALSE
- c. Literal=Process
- i. Input=Process Name [AUTHENTICODE_CHECK]
- ii. Output=TRUE if running and if required, authenticode verified, else FALSE
- d. Literal=Registry (WIN-ONLY)
- i. Input=Key Name [Value [Data]], Literal Comparison Operator
- ii. Output=TRUE if Key Name present, and if present, Value and Data match Literal Comparison Operator, else FALSE
- e. Literal=User Domain
- i. Input=WINS_DOMAIN|DNS_DOMAIN
- ii. Output=TRUE if user is logged into domain, else FALSE
- f. Literal=Machine Domain
- i. Input=WINS Name|DNS Name
- ii. Output=TRUE if client device is a domain member, else FALSE
- a. Literal=File
- These literals all have input that is interpreted as an equality expression. There may be 0-∞ occurrences per literal present in the manifest.
- 3. Set Individual Keyword Queries
- These literals all have input that is interpreted as described by the output. There may be 0-1 occurrences per literal in the set.
- a. Literal Set=ZONE_PFW|Sygate_PFW|MS_PFW
- i. Input=None
- ii. Output=TRUE if firewall running, else FALSE; for each keyword present in the set
- b. Literal Set=McAfee_AV|Nortal_AV
- i. Input=None
- ii. Output=TRUE if AV running, else FALSE; for each keyword present in the set
- c. Literal Set=CONNECT, BET, ODX, ODJ, NG
- i. Input=None.
- ii. Output=NOT_INSTALED, or INSTALLED, or RUNNING; for each keyword present in the set
- a. Literal Set=ZONE_PFW|Sygate_PFW|MS_PFW
- These literals all have input that is interpreted as described by the output. There may be 0-1 occurrences per literal in the set.
Claims (16)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/927,286 US7770222B2 (en) | 2003-12-10 | 2007-10-29 | Creating an interrogation manifest request |
Applications Claiming Priority (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US52887003P | 2003-12-10 | 2003-12-10 | |
US61915104P | 2004-10-14 | 2004-10-14 | |
US11/009,692 US8255973B2 (en) | 2003-12-10 | 2004-12-10 | Provisioning remote computers for accessing resources |
US11/251,087 US7827590B2 (en) | 2003-12-10 | 2005-10-14 | Controlling access to a set of resources in a network |
US11/927,286 US7770222B2 (en) | 2003-12-10 | 2007-10-29 | Creating an interrogation manifest request |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/251,087 Continuation US7827590B2 (en) | 2003-12-10 | 2005-10-14 | Controlling access to a set of resources in a network |
Publications (2)
Publication Number | Publication Date |
---|---|
US20080134302A1 US20080134302A1 (en) | 2008-06-05 |
US7770222B2 true US7770222B2 (en) | 2010-08-03 |
Family
ID=36685473
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/251,087 Active 2027-12-21 US7827590B2 (en) | 2003-12-10 | 2005-10-14 | Controlling access to a set of resources in a network |
US11/927,286 Expired - Fee Related US7770222B2 (en) | 2003-12-10 | 2007-10-29 | Creating an interrogation manifest request |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/251,087 Active 2027-12-21 US7827590B2 (en) | 2003-12-10 | 2005-10-14 | Controlling access to a set of resources in a network |
Country Status (1)
Country | Link |
---|---|
US (2) | US7827590B2 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050144481A1 (en) * | 2003-12-10 | 2005-06-30 | Chris Hopen | End point control |
US20060143703A1 (en) * | 2003-12-10 | 2006-06-29 | Chris Hopen | Rule-based routing to resources through a network |
US20070061887A1 (en) * | 2003-12-10 | 2007-03-15 | Aventail Corporation | Smart tunneling to resources in a network |
US20080046884A1 (en) * | 2005-02-25 | 2008-02-21 | Nhn Corporation | Method for installing activex control |
US20090222882A1 (en) * | 2008-02-29 | 2009-09-03 | Microsoft Corporation | Unified management policy |
US20100281473A1 (en) * | 2009-04-29 | 2010-11-04 | Microsoft Corporation | Automated software deployment triggered by state differences in distributed systems |
US20110167101A1 (en) * | 2004-06-24 | 2011-07-07 | Chris Hopen | End Point Control |
US20140020109A1 (en) * | 2012-07-16 | 2014-01-16 | Owl Computing Technologies, Inc. | File manifest filter for unidirectional transfer of files |
Families Citing this family (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7523484B2 (en) | 2003-09-24 | 2009-04-21 | Infoexpress, Inc. | Systems and methods of controlling network access |
US7831833B2 (en) * | 2005-04-22 | 2010-11-09 | Citrix Systems, Inc. | System and method for key recovery |
EP2176767A1 (en) * | 2005-06-14 | 2010-04-21 | Patrice Guichard | Data and a computer system protecting method and device |
US7590733B2 (en) * | 2005-09-14 | 2009-09-15 | Infoexpress, Inc. | Dynamic address assignment for access control on DHCP networks |
US20070174429A1 (en) * | 2006-01-24 | 2007-07-26 | Citrix Systems, Inc. | Methods and servers for establishing a connection between a client system and a virtual machine hosting a requested computing environment |
US20070192500A1 (en) * | 2006-02-16 | 2007-08-16 | Infoexpress, Inc. | Network access control including dynamic policy enforcement point |
US20070192858A1 (en) * | 2006-02-16 | 2007-08-16 | Infoexpress, Inc. | Peer based network access control |
US8151323B2 (en) * | 2006-04-12 | 2012-04-03 | Citrix Systems, Inc. | Systems and methods for providing levels of access and action control via an SSL VPN appliance |
US8566925B2 (en) | 2006-08-03 | 2013-10-22 | Citrix Systems, Inc. | Systems and methods for policy based triggering of client-authentication at directory level granularity |
US8108525B2 (en) | 2006-08-03 | 2012-01-31 | Citrix Systems, Inc. | Systems and methods for managing a plurality of user sessions in a virtual private network environment |
US20080289007A1 (en) * | 2007-05-17 | 2008-11-20 | Ajay Malik | System and Method for Granting Privileges Based on Location |
US8640203B2 (en) | 2007-06-04 | 2014-01-28 | Rajesh G. Shakkarwar | Methods and systems for the authentication of a user |
US8132247B2 (en) * | 2007-08-03 | 2012-03-06 | Citrix Systems, Inc. | Systems and methods for authorizing a client in an SSL VPN session failover environment |
CN101378400B (en) * | 2007-08-30 | 2013-01-30 | 国际商业机器公司 | Method, server and system for polymerizing desktop application and Web application |
US7925694B2 (en) * | 2007-10-19 | 2011-04-12 | Citrix Systems, Inc. | Systems and methods for managing cookies via HTTP content layer |
US8539551B2 (en) * | 2007-12-20 | 2013-09-17 | Fujitsu Limited | Trusted virtual machine as a client |
EP2241081B1 (en) | 2008-01-26 | 2018-05-02 | Citrix Systems, Inc. | Systems and methods for fine grain policy driven cookie proxying |
US8225106B2 (en) * | 2008-04-02 | 2012-07-17 | Protegrity Corporation | Differential encryption utilizing trust modes |
CN101272627B (en) * | 2008-04-30 | 2010-12-22 | 杭州华三通信技术有限公司 | Network access control method and apparatus for implementing roaming |
US8613045B1 (en) | 2008-05-01 | 2013-12-17 | F5 Networks, Inc. | Generating secure roaming user profiles over a network |
US8713177B2 (en) * | 2008-05-30 | 2014-04-29 | Red Hat, Inc. | Remote management of networked systems using secure modular platform |
US9100297B2 (en) | 2008-08-20 | 2015-08-04 | Red Hat, Inc. | Registering new machines in a software provisioning environment |
US8782204B2 (en) | 2008-11-28 | 2014-07-15 | Red Hat, Inc. | Monitoring hardware resources in a software provisioning environment |
US9558195B2 (en) | 2009-02-27 | 2017-01-31 | Red Hat, Inc. | Depopulation of user data from network |
US9313105B2 (en) * | 2009-02-27 | 2016-04-12 | Red Hat, Inc. | Network management using secure mesh command and control framework |
US9134987B2 (en) | 2009-05-29 | 2015-09-15 | Red Hat, Inc. | Retiring target machines by a provisioning server |
US20110022571A1 (en) * | 2009-07-24 | 2011-01-27 | Kevin Howard Snyder | Method of managing website components of a browser |
US8800044B2 (en) | 2011-03-23 | 2014-08-05 | Architelos, Inc. | Storing and accessing threat information for use in predictive modeling in a network security service |
US10009318B2 (en) * | 2012-03-14 | 2018-06-26 | Microsoft Technology Licensing, Llc | Connecting to a cloud service for secure access |
US9197647B2 (en) | 2013-10-21 | 2015-11-24 | Cisco Technology, Inc. | Integrity checking of a client device in a networked computer environment |
CN106576329B (en) * | 2014-09-26 | 2021-03-30 | 英特尔公司 | Context-based resource access mediation |
US10277688B2 (en) * | 2017-01-04 | 2019-04-30 | Microsoft Technology Licensing, Llc | Automatic installation activation selection for hosted services |
US20220159029A1 (en) * | 2020-11-13 | 2022-05-19 | Cyberark Software Ltd. | Detection of security risks based on secretless connection data |
CN112416522B (en) * | 2020-11-24 | 2024-06-28 | 北京华胜天成科技股份有限公司 | Virtual machine control method and device |
Citations (44)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0804012A2 (en) | 1996-04-23 | 1997-10-29 | Nokia Mobile Phones Ltd. | Multimedia terminal and method for realising multimedia reception |
WO1999057866A1 (en) | 1998-05-04 | 1999-11-11 | Auric Web Systems | User specific automatic data redirection system |
US6052780A (en) | 1996-09-12 | 2000-04-18 | Open Security Solutions, Llc | Computer system and process for accessing an encrypted and self-decrypting digital information product while restricting access to decrypted digital information |
US6128279A (en) | 1997-10-06 | 2000-10-03 | Web Balance, Inc. | System for balancing loads among network servers |
US6138153A (en) | 1994-02-14 | 2000-10-24 | Computer Associates Think, Inc. | System for software distribution in a digital computer network |
US6199099B1 (en) | 1999-03-05 | 2001-03-06 | Ac Properties B.V. | System, method and article of manufacture for a mobile communication network utilizing a distributed communication network |
US6244758B1 (en) | 1994-11-15 | 2001-06-12 | Absolute Software Corp. | Apparatus and method for monitoring electronic devices via a global network |
US6269392B1 (en) | 1994-11-15 | 2001-07-31 | Christian Cotichini | Method and apparatus to monitor and locate an electronic device using a secured intelligent agent |
US6300863B1 (en) | 1994-11-15 | 2001-10-09 | Absolute Software Corporation | Method and apparatus to monitor and locate an electronic device using a secured intelligent agent via a global network |
US6321334B1 (en) | 1998-07-15 | 2001-11-20 | Microsoft Corporation | Administering permissions associated with a security zone in a computer system security model |
US20020053031A1 (en) | 2000-04-12 | 2002-05-02 | Samuel Bendinelli | Methods and systems for hairpins in virtual networks |
WO2002037799A2 (en) | 2000-11-03 | 2002-05-10 | The Board Of Regents Of The University Of Nebraska | Load balancing method and system |
US20020099937A1 (en) | 2000-04-12 | 2002-07-25 | Mark Tuomenoksa | Methods and systems for using names in virtual networks |
US20020112052A1 (en) | 2001-02-13 | 2002-08-15 | Peter Brittingham | Remote computer capabilities querying and certification |
US20020167965A1 (en) | 2001-01-18 | 2002-11-14 | James Beasley | Link context mobility method and system for providing such mobility, such as a system employing short range frequency hopping spread spectrum wireless protocols |
WO2002099571A2 (en) | 2001-06-01 | 2002-12-12 | Fujitsu Network Communications Inc. | System and method for topology constrained routing policy provisioning |
US20020198984A1 (en) | 2001-05-09 | 2002-12-26 | Guy Goldstein | Transaction breakdown feature to facilitate analysis of end user performance of a server system |
US20030074472A1 (en) | 2001-10-16 | 2003-04-17 | Lucco Steven E. | Relsolving virtual network names |
EP1308822A2 (en) | 2001-10-30 | 2003-05-07 | Asgent, Inc. | Method and apparatus for ascertaining the status of an information system |
US20030191944A1 (en) | 2002-04-04 | 2003-10-09 | Rothrock Lewis V. | Method of providing adaptive security |
US20030196091A1 (en) | 2000-08-28 | 2003-10-16 | Contentguard Holdings, Inc. | Method and apparatus for validating security components through a request for content |
US20030229613A1 (en) | 2001-12-20 | 2003-12-11 | Shawn Zargham | System and method for managing interconnect carrier routing |
US6675206B1 (en) | 2000-04-14 | 2004-01-06 | International Business Machines Corporation | Method and apparatus for generating replies to address resolution protocol requests for virtual IP addresses |
US20040015961A1 (en) | 2001-03-19 | 2004-01-22 | International Business Machines Corporation | Method and apparatus for automatic prerequisite verification and installation of software |
US6701437B1 (en) | 1998-04-17 | 2004-03-02 | Vpnet Technologies, Inc. | Method and apparatus for processing communications in a virtual private network |
US20040078471A1 (en) | 2002-10-18 | 2004-04-22 | Collatus Corporation, A Delaware Corportion | Apparatus, method, and computer program product for building virtual networks |
US20040148439A1 (en) | 2003-01-14 | 2004-07-29 | Motorola, Inc. | Apparatus and method for peer to peer network connectivty |
US20040153533A1 (en) | 2000-07-13 | 2004-08-05 | Lewis Lundy M. | Method and apparatus for a comprehensive network management system |
US20040249919A1 (en) | 2003-06-04 | 2004-12-09 | Dirk Mattheis | System and method for remote systems management and reporting |
US6850943B2 (en) | 2002-10-18 | 2005-02-01 | Check Point Software Technologies, Inc. | Security system and methodology for providing indirect access control |
US20050044544A1 (en) | 1996-04-18 | 2005-02-24 | Microsoft Corporation | Methods and systems for obtaining computer software via a network |
US6874028B1 (en) | 1999-10-25 | 2005-03-29 | Microsoft Corporation | System and method for unified registration information collection |
US6873988B2 (en) | 2001-07-06 | 2005-03-29 | Check Point Software Technologies, Inc. | System and methods providing anti-virus cooperative enforcement |
US20050120095A1 (en) | 2003-12-02 | 2005-06-02 | International Business Machines Corporation | Apparatus and method for determining load balancing weights using application instance statistical information |
US6920502B2 (en) | 2000-04-13 | 2005-07-19 | Netilla Networks, Inc. | Apparatus and accompanying methods for providing, through a centralized server site, an integrated virtual office environment, remotely accessible via a network-connected web browser, with remote network monitoring and management capabilities |
US20050273779A1 (en) | 1996-06-07 | 2005-12-08 | William Cheng | Automatic updating of diverse software products on multiple client computer systems |
US6996631B1 (en) | 2000-08-17 | 2006-02-07 | International Business Machines Corporation | System having a single IP address associated with communication protocol stacks in a cluster of processing systems |
US7017162B2 (en) * | 2001-07-10 | 2006-03-21 | Microsoft Corporation | Application program interface for network software platform |
US7073093B2 (en) * | 2001-05-15 | 2006-07-04 | Hewlett-Packard Development Company, L.P. | Helpdesk system and method |
US7093024B2 (en) | 2001-09-27 | 2006-08-15 | International Business Machines Corporation | End node partitioning using virtualization |
US7099955B1 (en) | 2000-10-19 | 2006-08-29 | International Business Machines Corporation | End node partitioning using LMC for a system area network |
US7127493B1 (en) | 1998-08-20 | 2006-10-24 | Gautier Taylor S | Optimizing server delivery of content by selective inclusion of optional data based on optimization criteria |
US20060271544A1 (en) | 2005-05-27 | 2006-11-30 | International Business Machines Corporation | Methods and apparatus for selective workload off-loading across multiple data centers |
US7222172B2 (en) | 2002-04-26 | 2007-05-22 | Hitachi, Ltd. | Storage system having virtualized resource |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6779030B1 (en) * | 1997-10-06 | 2004-08-17 | Worldcom, Inc. | Intelligent network |
US7427802B2 (en) * | 2002-02-11 | 2008-09-23 | Stmicroelectronics S.A. | Irreversible reduction of the value of a polycrystalline silicon resistor |
US20040003084A1 (en) * | 2002-05-21 | 2004-01-01 | Malik Dale W. | Network resource management system |
US7343609B2 (en) * | 2004-06-04 | 2008-03-11 | Epo Science & Technology Inc. | Control mechanism for clamper guider in slot-in drive |
-
2005
- 2005-10-14 US US11/251,087 patent/US7827590B2/en active Active
-
2007
- 2007-10-29 US US11/927,286 patent/US7770222B2/en not_active Expired - Fee Related
Patent Citations (47)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6138153A (en) | 1994-02-14 | 2000-10-24 | Computer Associates Think, Inc. | System for software distribution in a digital computer network |
US6300863B1 (en) | 1994-11-15 | 2001-10-09 | Absolute Software Corporation | Method and apparatus to monitor and locate an electronic device using a secured intelligent agent via a global network |
US6244758B1 (en) | 1994-11-15 | 2001-06-12 | Absolute Software Corp. | Apparatus and method for monitoring electronic devices via a global network |
US6269392B1 (en) | 1994-11-15 | 2001-07-31 | Christian Cotichini | Method and apparatus to monitor and locate an electronic device using a secured intelligent agent |
US20050044544A1 (en) | 1996-04-18 | 2005-02-24 | Microsoft Corporation | Methods and systems for obtaining computer software via a network |
EP0804012A2 (en) | 1996-04-23 | 1997-10-29 | Nokia Mobile Phones Ltd. | Multimedia terminal and method for realising multimedia reception |
US20050273779A1 (en) | 1996-06-07 | 2005-12-08 | William Cheng | Automatic updating of diverse software products on multiple client computer systems |
US6052780A (en) | 1996-09-12 | 2000-04-18 | Open Security Solutions, Llc | Computer system and process for accessing an encrypted and self-decrypting digital information product while restricting access to decrypted digital information |
US6128279A (en) | 1997-10-06 | 2000-10-03 | Web Balance, Inc. | System for balancing loads among network servers |
US6701437B1 (en) | 1998-04-17 | 2004-03-02 | Vpnet Technologies, Inc. | Method and apparatus for processing communications in a virtual private network |
WO1999057866A1 (en) | 1998-05-04 | 1999-11-11 | Auric Web Systems | User specific automatic data redirection system |
US6321334B1 (en) | 1998-07-15 | 2001-11-20 | Microsoft Corporation | Administering permissions associated with a security zone in a computer system security model |
US7127493B1 (en) | 1998-08-20 | 2006-10-24 | Gautier Taylor S | Optimizing server delivery of content by selective inclusion of optional data based on optimization criteria |
US6199099B1 (en) | 1999-03-05 | 2001-03-06 | Ac Properties B.V. | System, method and article of manufacture for a mobile communication network utilizing a distributed communication network |
US6874028B1 (en) | 1999-10-25 | 2005-03-29 | Microsoft Corporation | System and method for unified registration information collection |
US20020099937A1 (en) | 2000-04-12 | 2002-07-25 | Mark Tuomenoksa | Methods and systems for using names in virtual networks |
US20020053031A1 (en) | 2000-04-12 | 2002-05-02 | Samuel Bendinelli | Methods and systems for hairpins in virtual networks |
US6920502B2 (en) | 2000-04-13 | 2005-07-19 | Netilla Networks, Inc. | Apparatus and accompanying methods for providing, through a centralized server site, an integrated virtual office environment, remotely accessible via a network-connected web browser, with remote network monitoring and management capabilities |
US6675206B1 (en) | 2000-04-14 | 2004-01-06 | International Business Machines Corporation | Method and apparatus for generating replies to address resolution protocol requests for virtual IP addresses |
US20040153533A1 (en) | 2000-07-13 | 2004-08-05 | Lewis Lundy M. | Method and apparatus for a comprehensive network management system |
US6996631B1 (en) | 2000-08-17 | 2006-02-07 | International Business Machines Corporation | System having a single IP address associated with communication protocol stacks in a cluster of processing systems |
US20030196121A1 (en) | 2000-08-28 | 2003-10-16 | Contentguard Holdings, Inc. | Method and apparatus for automatically deploy security components in a content distribution system |
US20030196091A1 (en) | 2000-08-28 | 2003-10-16 | Contentguard Holdings, Inc. | Method and apparatus for validating security components through a request for content |
US7099955B1 (en) | 2000-10-19 | 2006-08-29 | International Business Machines Corporation | End node partitioning using LMC for a system area network |
WO2002037799A2 (en) | 2000-11-03 | 2002-05-10 | The Board Of Regents Of The University Of Nebraska | Load balancing method and system |
US20020167965A1 (en) | 2001-01-18 | 2002-11-14 | James Beasley | Link context mobility method and system for providing such mobility, such as a system employing short range frequency hopping spread spectrum wireless protocols |
US7092987B2 (en) | 2001-02-13 | 2006-08-15 | Educational Testing Service | Remote computer capabilities querying and certification |
US20020112052A1 (en) | 2001-02-13 | 2002-08-15 | Peter Brittingham | Remote computer capabilities querying and certification |
US20040015961A1 (en) | 2001-03-19 | 2004-01-22 | International Business Machines Corporation | Method and apparatus for automatic prerequisite verification and installation of software |
US20020198984A1 (en) | 2001-05-09 | 2002-12-26 | Guy Goldstein | Transaction breakdown feature to facilitate analysis of end user performance of a server system |
US7073093B2 (en) * | 2001-05-15 | 2006-07-04 | Hewlett-Packard Development Company, L.P. | Helpdesk system and method |
WO2002099571A2 (en) | 2001-06-01 | 2002-12-12 | Fujitsu Network Communications Inc. | System and method for topology constrained routing policy provisioning |
US6873988B2 (en) | 2001-07-06 | 2005-03-29 | Check Point Software Technologies, Inc. | System and methods providing anti-virus cooperative enforcement |
US7017162B2 (en) * | 2001-07-10 | 2006-03-21 | Microsoft Corporation | Application program interface for network software platform |
US7093024B2 (en) | 2001-09-27 | 2006-08-15 | International Business Machines Corporation | End node partitioning using virtualization |
US20030074472A1 (en) | 2001-10-16 | 2003-04-17 | Lucco Steven E. | Relsolving virtual network names |
EP1308822A2 (en) | 2001-10-30 | 2003-05-07 | Asgent, Inc. | Method and apparatus for ascertaining the status of an information system |
US20030229613A1 (en) | 2001-12-20 | 2003-12-11 | Shawn Zargham | System and method for managing interconnect carrier routing |
US20030191944A1 (en) | 2002-04-04 | 2003-10-09 | Rothrock Lewis V. | Method of providing adaptive security |
US7222172B2 (en) | 2002-04-26 | 2007-05-22 | Hitachi, Ltd. | Storage system having virtualized resource |
US20040078471A1 (en) | 2002-10-18 | 2004-04-22 | Collatus Corporation, A Delaware Corportion | Apparatus, method, and computer program product for building virtual networks |
US6850943B2 (en) | 2002-10-18 | 2005-02-01 | Check Point Software Technologies, Inc. | Security system and methodology for providing indirect access control |
US20040148439A1 (en) | 2003-01-14 | 2004-07-29 | Motorola, Inc. | Apparatus and method for peer to peer network connectivty |
US20040249919A1 (en) | 2003-06-04 | 2004-12-09 | Dirk Mattheis | System and method for remote systems management and reporting |
US20050120095A1 (en) | 2003-12-02 | 2005-06-02 | International Business Machines Corporation | Apparatus and method for determining load balancing weights using application instance statistical information |
US7493380B2 (en) | 2003-12-02 | 2009-02-17 | International Business Machines Corporation | Method for determining load balancing weights using application instance topology information |
US20060271544A1 (en) | 2005-05-27 | 2006-11-30 | International Business Machines Corporation | Methods and apparatus for selective workload off-loading across multiple data centers |
Non-Patent Citations (4)
Title |
---|
"Microsoft(� ) Computer Dictionary." Fifth Edition. Microsoft Press. May 1, 2002. 2pgs. |
"Microsoft(® ) Computer Dictionary." Fifth Edition. Microsoft Press. May 1, 2002. 2pgs. |
Sheryl Canter, "Kill Internet Ads with HOSTS and PAC Files," Online! Mar. 30, 2004, Retrieved from the Internet: URL:https://web.archive.org/web20040426140542/https://www.windowsdevcenter.com/pub/a/windows/2004/03/30/hosts.html, retrieved on Jan. 24, 2006. |
Ulrich Kritzner, "Objektrferenz-Das Navigator-Objekt" Javascript-Tutorial, Online! Mar. 31, 2002, XP 002331683 Retrieved from website: https://web/archive/org/20020331004028/ttp:https://js-tut-aardon.de/js-tut/anhangA/navigator/html. |
Cited By (31)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8255973B2 (en) | 2003-12-10 | 2012-08-28 | Chris Hopen | Provisioning remote computers for accessing resources |
US10313350B2 (en) | 2003-12-10 | 2019-06-04 | Sonicwall Inc. | Remote access to resources over a network |
US9407456B2 (en) | 2003-12-10 | 2016-08-02 | Aventail Llc | Secure access to remote resources over a network |
US9397927B2 (en) | 2003-12-10 | 2016-07-19 | Aventail Llc | Rule-based routing to resources through a network |
US8301769B2 (en) | 2003-12-10 | 2012-10-30 | Aventail Llc | Classifying an operating environment of a remote computer |
US20100024008A1 (en) * | 2003-12-10 | 2010-01-28 | Chris Hopen | Managing Resource Allocations |
US20100036955A1 (en) * | 2003-12-10 | 2010-02-11 | Chris Hopen | Creating Rules For Routing Resource Access Requests |
US20050144481A1 (en) * | 2003-12-10 | 2005-06-30 | Chris Hopen | End point control |
US20100333169A1 (en) * | 2003-12-10 | 2010-12-30 | Chris Hopen | Classifying an Operating Environment of a Remote Computer |
US20110167475A1 (en) * | 2003-12-10 | 2011-07-07 | Paul Lawrence Hoover | Secure Access to Remote Resources Over a Network |
US9300670B2 (en) | 2003-12-10 | 2016-03-29 | Aventail Llc | Remote access to resources over a network |
US9197538B2 (en) | 2003-12-10 | 2015-11-24 | Aventail Llc | Rule-based routing to resources through a network |
US20070061887A1 (en) * | 2003-12-10 | 2007-03-15 | Aventail Corporation | Smart tunneling to resources in a network |
US20060143703A1 (en) * | 2003-12-10 | 2006-06-29 | Chris Hopen | Rule-based routing to resources through a network |
US10135827B2 (en) | 2003-12-10 | 2018-11-20 | Sonicwall Inc. | Secure access to remote resources over a network |
US9906534B2 (en) | 2003-12-10 | 2018-02-27 | Sonicwall Inc. | Remote access to resources over a network |
US8590032B2 (en) | 2003-12-10 | 2013-11-19 | Aventail Llc | Rule-based routing to resources through a network |
US8661158B2 (en) | 2003-12-10 | 2014-02-25 | Aventail Llc | Smart tunneling to resources in a network |
US8613041B2 (en) | 2003-12-10 | 2013-12-17 | Aventail Llc | Creating rules for routing resource access requests |
US8615796B2 (en) | 2003-12-10 | 2013-12-24 | Aventail Llc | Managing resource allocations |
US9628489B2 (en) | 2003-12-10 | 2017-04-18 | Sonicwall Inc. | Remote access to resources over a network |
US8601550B2 (en) | 2004-06-24 | 2013-12-03 | Aventail Llc | Remote access to resources over a network |
US20110167101A1 (en) * | 2004-06-24 | 2011-07-07 | Chris Hopen | End Point Control |
US8046757B2 (en) * | 2005-02-25 | 2011-10-25 | Nhn Corporation | Method for installing ActiveX control |
US20080046884A1 (en) * | 2005-02-25 | 2008-02-21 | Nhn Corporation | Method for installing activex control |
US8353005B2 (en) * | 2008-02-29 | 2013-01-08 | Microsoft Corporation | Unified management policy |
US20090222882A1 (en) * | 2008-02-29 | 2009-09-03 | Microsoft Corporation | Unified management policy |
US8458690B2 (en) * | 2009-04-29 | 2013-06-04 | Microsoft Corporation | Automated software deployment triggered by state differences in distributed systems |
US20100281473A1 (en) * | 2009-04-29 | 2010-11-04 | Microsoft Corporation | Automated software deployment triggered by state differences in distributed systems |
US20140020109A1 (en) * | 2012-07-16 | 2014-01-16 | Owl Computing Technologies, Inc. | File manifest filter for unidirectional transfer of files |
US9736121B2 (en) * | 2012-07-16 | 2017-08-15 | Owl Cyber Defense Solutions, Llc | File manifest filter for unidirectional transfer of files |
Also Published As
Publication number | Publication date |
---|---|
US20080134302A1 (en) | 2008-06-05 |
US20060161970A1 (en) | 2006-07-20 |
US7827590B2 (en) | 2010-11-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10313350B2 (en) | Remote access to resources over a network | |
US7770222B2 (en) | Creating an interrogation manifest request | |
US8255973B2 (en) | Provisioning remote computers for accessing resources | |
US7478420B2 (en) | Administration of protection of data accessible by a mobile device | |
US8020192B2 (en) | Administration of protection of data accessible by a mobile device | |
US7636936B2 (en) | Administration of protection of data accessible by a mobile device | |
US8359464B2 (en) | Quarantine method and system | |
EP1958093B1 (en) | Peer-to-peer remediation | |
US8528047B2 (en) | Multilayer access control security system | |
US7590684B2 (en) | System providing methodology for access control with cooperative enforcement | |
US20080109679A1 (en) | Administration of protection of data accessible by a mobile device | |
US20020112186A1 (en) | Authentication and authorization for access to remote production devices | |
US8732789B2 (en) | Portable security policy and environment | |
WO2004057834A2 (en) | Methods and apparatus for administration of policy based protection of data accessible by a mobile device | |
US9021253B2 (en) | Quarantine method and system | |
Christman | Guide to the Secure Configuration and Administration of Microsoft Internet Information Server 4.0® | |
Walker IV | Guide to the Secure Configuration and Administration of Microsoft Internet Information Services 5.0® | |
Johnson Jr | Attacking and Defending Windows 2000 | |
Tulyagijja | Implementing a secure windows 2000 servers for the internet | |
Foster | Attacking and Defending Windows XP Professional |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: AVENTAIL CORPORATION, WASHINGTON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HOPEN, CHRIS;TOMLINSON, GARY;ANANDAM, PARVEZ;AND OTHERS;REEL/FRAME:022152/0214;SIGNING DATES FROM 20060210 TO 20060920 Owner name: AVENTAIL CORPORATION, WASHINGTON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HOPEN, CHRIS;TOMLINSON, GARY;ANANDAM, PARVEZ;AND OTHERS;SIGNING DATES FROM 20060210 TO 20060920;REEL/FRAME:022152/0214 |
|
AS | Assignment |
Owner name: AVENTAIL LLC, CALIFORNIA Free format text: MERGER;ASSIGNOR:AVENTAIL CORPORATION;REEL/FRAME:022200/0475 Effective date: 20071211 Owner name: AVENTAIL LLC,CALIFORNIA Free format text: MERGER;ASSIGNOR:AVENTAIL CORPORATION;REEL/FRAME:022200/0475 Effective date: 20071211 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, NEW YORK Free format text: SECURITY AGREEMENT;ASSIGNORS:AVENTAIL LLC;SONICWALL, INC.;REEL/FRAME:024776/0337 Effective date: 20100723 Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, NEW YORK Free format text: PATENT SECURITY AGREEMENT (SECOND LIEN);ASSIGNORS:AVENTAIL LLC;SONICWALL, INC.;REEL/FRAME:024823/0280 Effective date: 20100723 |
|
AS | Assignment |
Owner name: AVENTAIL LLC, CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST IN PATENTS RECORDED ON REEL/FRAME 024776/0337;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:028177/0115 Effective date: 20120508 Owner name: AVENTAIL LLC, CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST IN PATENTS RECORDED ON REEL/FRAME 024823/0280;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:028177/0126 Effective date: 20120508 Owner name: SONICWALL, INC., CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST IN PATENTS RECORDED ON REEL/FRAME 024776/0337;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:028177/0115 Effective date: 20120508 Owner name: SONICWALL, INC., CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST IN PATENTS RECORDED ON REEL/FRAME 024823/0280;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:028177/0126 Effective date: 20120508 |
|
FEPP | Fee payment procedure |
Free format text: PAT HOLDER NO LONGER CLAIMS SMALL ENTITY STATUS, ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: STOL); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
AS | Assignment |
Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT, NORTH CAROLINA Free format text: SECURITY AGREEMENT;ASSIGNORS:AVENTAIL LLC;DELL PRODUCTS, L.P.;DELL SOFTWARE INC.;REEL/FRAME:040030/0187 Effective date: 20160907 Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT, TEXAS Free format text: SECURITY AGREEMENT;ASSIGNORS:AVENTAIL LLC;DELL PRODUCTS L.P.;DELL SOFTWARE INC.;REEL/FRAME:040039/0642 Effective date: 20160907 Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLAT Free format text: SECURITY AGREEMENT;ASSIGNORS:AVENTAIL LLC;DELL PRODUCTS, L.P.;DELL SOFTWARE INC.;REEL/FRAME:040030/0187 Effective date: 20160907 Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., A Free format text: SECURITY AGREEMENT;ASSIGNORS:AVENTAIL LLC;DELL PRODUCTS L.P.;DELL SOFTWARE INC.;REEL/FRAME:040039/0642 Effective date: 20160907 |
|
AS | Assignment |
Owner name: DELL PRODUCTS L.P., TEXAS Free format text: RELEASE OF SECURITY INTEREST IN CERTAIN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040039/0642);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A.;REEL/FRAME:040521/0016 Effective date: 20161031 Owner name: DELL PRODUCTS, L.P., TEXAS Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:040521/0467 Effective date: 20161031 Owner name: DELL SOFTWARE INC., CALIFORNIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:040521/0467 Effective date: 20161031 Owner name: DELL SOFTWARE INC., CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST IN CERTAIN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040039/0642);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A.;REEL/FRAME:040521/0016 Effective date: 20161031 Owner name: AVENTAIL LLC, CALIFORNIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:040521/0467 Effective date: 20161031 Owner name: AVENTAIL LLC, CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST IN CERTAIN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040039/0642);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A.;REEL/FRAME:040521/0016 Effective date: 20161031 |
|
AS | Assignment |
Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT, NEW YORK Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:DELL SOFTWARE INC.;REEL/FRAME:040581/0850 Effective date: 20161031 Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLAT Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:DELL SOFTWARE INC.;REEL/FRAME:040581/0850 Effective date: 20161031 |
|
AS | Assignment |
Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT, NEW YORK Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:DELL SOFTWARE INC.;REEL/FRAME:040587/0624 Effective date: 20161031 Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLAT Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:DELL SOFTWARE INC.;REEL/FRAME:040587/0624 Effective date: 20161031 |
|
AS | Assignment |
Owner name: SONICWALL US HOLDINGS, INC., CALIFORNIA Free format text: INTELLECTUAL PROPERTY SECURITY AGREEMENT;ASSIGNOR:AVENTAIL LLC;REEL/FRAME:041072/0235 Effective date: 20161230 |
|
AS | Assignment |
Owner name: SONICWALL US HOLDINGS INC., CALIFORNIA Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE NATURE OF CONVEYANCE PREVIOUSLY RECORDED AT REEL: 041072 FRAME: 235. ASSIGNOR(S) HEREBY CONFIRMS THE INTELLECTUAL PROPERTY ASSIGNMENT AGREEMENT;ASSIGNOR:AVENTAIL LLC;REEL/FRAME:042245/0523 Effective date: 20161230 |
|
AS | Assignment |
Owner name: QUEST SOFTWARE INC. (F/K/A DELL SOFTWARE INC.), CALIFORNIA Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE PREVIOUSLY RECORDED AT REEL: 040587 FRAME: 0624. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:044811/0598 Effective date: 20171114 Owner name: QUEST SOFTWARE INC. (F/K/A DELL SOFTWARE INC.), CA Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE PREVIOUSLY RECORDED AT REEL: 040587 FRAME: 0624. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:044811/0598 Effective date: 20171114 Owner name: AVENTAIL LLC, CALIFORNIA Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE PREVIOUSLY RECORDED AT REEL: 040587 FRAME: 0624. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:044811/0598 Effective date: 20171114 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552) Year of fee payment: 8 |
|
AS | Assignment |
Owner name: QUEST SOFTWARE INC. (F/K/A DELL SOFTWARE INC.), CALIFORNIA Free format text: RELEASE OF FIRST LIEN SECURITY INTEREST IN PATENTS RECORDED AT R/F 040581/0850;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT;REEL/FRAME:046211/0735 Effective date: 20180518 Owner name: QUEST SOFTWARE INC. (F/K/A DELL SOFTWARE INC.), CA Free format text: RELEASE OF FIRST LIEN SECURITY INTEREST IN PATENTS RECORDED AT R/F 040581/0850;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT;REEL/FRAME:046211/0735 Effective date: 20180518 Owner name: AVENTAIL LLC, CALIFORNIA Free format text: RELEASE OF FIRST LIEN SECURITY INTEREST IN PATENTS RECORDED AT R/F 040581/0850;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT;REEL/FRAME:046211/0735 Effective date: 20180518 |
|
AS | Assignment |
Owner name: UBS AG, STAMFORD BRANCH, AS COLLATERAL AGENT, CONNECTICUT Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:SONICWALL US HOLDINGS INC.;REEL/FRAME:046321/0393 Effective date: 20180518 Owner name: UBS AG, STAMFORD BRANCH, AS COLLATERAL AGENT, CONNECTICUT Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:SONICWALL US HOLDINGS INC.;REEL/FRAME:046321/0414 Effective date: 20180518 Owner name: UBS AG, STAMFORD BRANCH, AS COLLATERAL AGENT, CONN Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:SONICWALL US HOLDINGS INC.;REEL/FRAME:046321/0414 Effective date: 20180518 Owner name: UBS AG, STAMFORD BRANCH, AS COLLATERAL AGENT, CONN Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:SONICWALL US HOLDINGS INC.;REEL/FRAME:046321/0393 Effective date: 20180518 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20220803 |